- (585) 423-9810
- support@go-mst.com
Do you have published IT Security Policies and Procedures? If not, you need them!
All businesses should have written IT Policies and Procedures, and many are required by statute to maintain and report on them to governing organizations.
For example, in 2016 New York State enacted new Cybersecurity Regulations known as 23 NYCRR 500, which requires ANY organization that deals with Insurance, Banking, or Financial Services Laws, even peripherally, to do several things, and file compliance documents with the State.
Regulations aside, all businesses should have published, comprehensive policies and procedures for Information Technology.
According to NIST* a complete IT Policy and Procedures Document will contain the following topics:
General | Network Security | Server Security | Application Security |
|
|
|
Web Application Security Policy |
What's in a name? We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. According to the SANS Institute:
A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.
A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows 10 workstation for placement on the network. People must follow this standard exactly if they wish to install a Windows 10.1 workstation on an external network segment. In addition, a standard can be a technology selection, e.g. Company Name uses XYZ AntiVirus for all systems, and supporting policies and procedures define how it is used.
A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.
The Managed Services Team Referral Program, click here
Founded in 1989 by enterprise technical experts, Managed Services Team quickly grew to become the regional leader in IT support for businesses in Western New York. In 2003 we introduced the concept of fixed-fee pricing, a.k.a. Managed Services, and eliminated forever the mystery of IT support costs.
Today we service clients across every industry, providing IT Support, Web Development and Hosting, and Contemporary VOIP communications systems. Call today for a fresh look at your technology.